The Fight to Uncover Spyware Exports to Repressive Regimes

Thomas Brewster

Image: Shutterstock

The UK’s High Court ruled yesterday that HM Revenue and Customs acted “unlawfully” when it declined to detail how it was investigating the export of digital spy tools created by a British company.

Human rights group Privacy International is celebrating the decision of Mr Justice Green, which means HMRC now has to reconsider releasing information on its investigation into controls surrounding the export of malware known as FinFisher, created by British supplier Gamma International.

The widespread FinFisher malware family, also known as FinSpy, can carry out a range of surveillance operations, from snooping on Skype and Facebook conversations to siphoning off emails or files sitting on a device. It is supposed to benefit law enforcement in their investigations, but has allegedly been found in various nations with poor human rights records, including Bahrain and Ethiopia.

The software came to the public’s attention when it was detailed in documents said to have been held by the deposed Hosni Mubarak government of Egypt. Privacy International believes the equipment “is being used by oppressive governments for a wide range of human rights abuses.”

During the court hearings, two activists offered evidence: Dr Ala'a Shehabi from anti-surveillance group Bahrain Watch and Tadesse Kersmo, an Ethiopian political refugee living in the UK. They both claimed to have been targeted by FinFisher tools, which they believed were placed on their personal computers by governments to surreptitiously track them and their contacts. I caught up with both Shehabi and Kersmo to hear about their experiences.

Shehabi, a Bahraini/British national whose father founded the Bahrain Freedom Movement, does not know for sure she was targeted by the Bahrain government, but suspects the administration was responsible. Prior to the attempts to infect her computer, she was arrested along with the British Channel 4 news team during the pro-democracy protests that surrounded the Bahrain Grand Prix in April 2012.

Soon after being released in Manama, the capital of Bahrain, Shehabi was sent an email purporting to be from a contact, offering information on an agenda for secret talks with King Hamad bin Isa Al Khalifah. The details were contained in an attachment that, when opened, launched a blank page in a browser and then silently installed malware onto her system, she said.

Further emails arrived from different contacts in the following days, including someone claiming to be a journalist. With each message, the attempts to persuade her to open the malicious attachment became more aggressive, she added. In those cases, she didn’t click on the attachment.

Along with the shoddy grammar of the messages, the additional emails rang alarm bells for Shehabi. She handed the emails and attached files to security researchers at Toronto-based Citizen Lab, which claimed FinFisher software was resident on the activist’s machine.“This was a very basic, primitive attempt, directly sending you software, but they do it in various ways now, they can push through the software without you realising you've downloaded it,” said Shehabi. Owing to her swift response, she does not believe much data was taken from her PC.

Gamma has previously claimed it never sold to Bahrain and the Bahrain administration denies assertions that it bought or used FinFisher malware. “Select individuals continue to unjustifiably associate their personal malware to the Government and all evidence collated by the accusers show no link to the Bahraini Government,” a spokesperson told me. “The country has made significant progress in the past two and half years, and individuals that continue to galvanize international attention based on speculation must be challenged.”

Gamma has also suggested the copies of FinFisher found in Bahrain could have been stolen. Bahrain Watch has questioned those claims.

The FinFisher creator, which has facilities in the UK, Germany and Switzerland, has previously declined to comment on whom it has signed contracts with, as that would only play into the hands of genuine criminals its software is designed to expose. It did not respond to requests for comment on the cases of Shehabi and Kersmo.

Whether or not the Bahraini government was responsible, it’s clear to Shehabi that many Bahraini activists are facing threats online. “My initial assumption was that this was the Bahraini government, but it could be any other government,” she explains. “From what I know from the security specialists, they think that many Bahraini individuals have been targeted—journalists, lawyers…”

Tadesse Kersmo. Image: Privacy International

In his signed evidence for the trial, Kersmo, a member of the Ethiopian pro-democracy group Ginbot 7, said Privacy International also found FinFisher malware on his computer, which had been sitting on the machine for almost a year. He said his suspicions were initially aroused when Ginbot 7’s minutes, “often doctored,” appeared on a pro-Ethiopian government website.

Kersmo is furious with the Ethiopian government, whom he blames for the attack. “Ethiopia has one of the last remnants of Stalinist type totalitarian government,” he said over email. “The Ethiopian government was successful in using this software. It has stolen several documents, it has edited them in a way they suit its purpose and then used them for negative propaganda… Skype conversations were recorded.”

Ethiopia has strongly denied the accusations. “This is a fabrication by groups bent to tarnish the image of Ethiopia. The constitution of the country guarantees freedom of expression and the alleged intrusion into individual privacy is punishable by law. I hope the newspaper knows the source of this kind of malicious propaganda. We remain committed to the letter and spirit of the constitution,” a spokesperson from the Ethiopian Embassy in London said.

Whoever was behind the attacks, that government malware that has landed on the activists’ PCs has had a chilling effect. Shehabi says the attacks have left her considerably less trusting of the internet. “You assume everything you're saying online is being watched. It's like standing outside your front door and anyone can see you. You don't have privacy online. I always feel very exposed online, so I'm always very conscious of what I say and do.

"If the FinFisher product is sold to repressive regimes, Gamma is providing them with the ideal tool to commit the offences of unlawful interception of communications."

“Without regulation these private companies are going to be spying on not just activists, it could be anyone—politicians, journalists, lawyers—in a similar way to governments are spying on everyone as per the NSA revelations.”

Both Shehabi and Kersmo are, at least, thankful for the High Court’s decision this week. “I think this has put the pressure on the government to really take the issue of surveillance by force much more seriously, that these things are traceable and that the big companies that are manufacturing them are able to operate and export to repressive regimes knowingly … This is an important first step in challenging that,” Shehabi added.

Kersmo and Privacy International have taken their fight to other authorities. Earlier this year, the alleged offence was reported to the UK’s National Cyber Crime Unit, a group within the National Crime Agency. The case has been passed on to an investigating officer.

“If the FinFisher product is sold to repressive regimes, Gamma is providing them with the ideal tool to commit the offences of unlawful interception of communications. Gamma is aware of the fact that the relevant government will commit such an offence, and that by selling FinFisher it provides crucial assistance in carrying out this offence,” the complaint read.

Despite his ire at Ethiopia, Kersmo, like Privacy International, is concerned about the potentially illegal compromise of a PC on UK soil. According to him, “One of the major victims in this espionage is the UK ... its sovereignty has been infringed.”